CVE-2026-23831

CVE-2026-23831

Name

CVE-2026-23831

Description

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
MISC	https://github.com/sigstore/rekor/releases/tag/v1.5.0
CONFIRM	https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833

Type

URI

MISC

https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd

MISC

https://github.com/sigstore/rekor/releases/tag/v1.5.0

CONFIRM

https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833

CPE URI	Source package	Min version	Max version
	rekor	>= 0	< 1.5.0
`cpe:2.3:a:linuxfoundation:rekor::::::::`	rekor	>= None	< 1.5.0

CPE URI

Source package

Min version

Max version

rekor

>= 0

< 1.5.0

cpe:2.3:a:linuxfoundation:rekor:*:*:*:*:*:*:*:*

rekor

>= None

< 1.5.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
rekor	edge-community	1.4.2-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.2-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.2-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r4	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r3	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.1.1-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r6	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r5	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r4	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r3	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r1	kpcyrd <git@rxv.cc>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages